User: Password:
|
|
Subscribe / Log in / New account

Kernel vulnerabilities: old or new?

Kernel vulnerabilities: old or new?

Posted Oct 20, 2010 2:18 UTC (Wed) by spender (subscriber, #23067)
In reply to: Kernel vulnerabilities: old or new? by kees
Parent article: Kernel vulnerabilities: old or new?

I think it's just the same case as what's always improved Linux security: outside contributors actually auditing the code for security issues, which apparently isn't done otherwise. Other than coccinelle (http://coccinelle.lip6.fr/impact_linux.php) which isn't exactly new (it's been used for patches since 2006) I don't know what "new static analysis tools" are being used. Dan Rosenberg, who's discovered a ridiculous number of vulnerabilities this year, has been using grep. Tavis' auditing has been manual AFAIK.

It's worse than just 80 for this year. You called 80 the "known issues", but really it's just the problems for which CVEs have been allocated. Dan Rosenberg had a huge collection of information leak vulnerabilities that still haven't received CVEs despite numerous requests. If you follow oss-sec (I know Kees follows it, but this is directed to the other readers), you'll notice Eugene often sends kernel vulnerability information to the list with a message of "I'm not requesting a CVE for this as it does not affect any Red Hat-supported kernels". Often this means the vulnerability was introduced in newer kernels. This mostly explains why there are suspiciously no CVEs for recent kernels: simply that nobody bothers to ask for CVEs for recently introduced vulnerabilities.

And again it demonstrates the problem of silent vulnerability fixing. The editor is left to gauge vulnerability risk by allocated CVEs -- a biased metric which ultimately biases any conclusions derived purely from the dataset. How different would it look if Dan Rosenberg didn't mail repeatedly to make sure the vulnerabilities he discovered were assigned CVEs? It might end up like my http://grsecurity.net/~spender/64bit_dos.c which after over 2 months now still has no CVEs or committed fixes.

The sad thing is nobody has any clue how bad it really is. The scary thing is we're finding evidence that blackhats have developed exploits for vulns months or years ahead of the reactive vuln fixing going on. Look at how Microsoft changed strategy years ago in response to these systemic problems, or how Adobe recently has been taking some defensive steps (hardening their JIT and sandboxing the next version of Reader). Linux is in dire need of a similar change, but it's unlikely to ever occur in mainline unless starts with the leadership.

-Brad


(Log in to post comments)

Kernel vulnerabilities: old or new?

Posted Oct 20, 2010 5:18 UTC (Wed) by error27 (subscriber, #8346) [Link]

I've used Smatch to fix a bunch of buffer range checking bugs (at least 50 since January). But I didn't get any CVEs. Actually most of them weren't exploitable.

But yeah. I don't think the fixes on this list were found with static analysis tools. Vasiliy Kulikov just posted a list of eight information leaks and people assumed he used a tool but he did it with grep. It seems to me like you could find a bunch of information leaks automatically but no one has done that yet.

Kernel vulnerabilities: old or new?

Posted Oct 20, 2010 8:28 UTC (Wed) by michaeljt (subscriber, #39183) [Link]

Brad, ever thought of submitting a couple of guest articles to the security section of LWN?

Kernel vulnerabilities: old or new?

Posted Oct 20, 2010 17:16 UTC (Wed) by bronson (subscriber, #4806) [Link]

Agreed. They might be impassioned and even inflammatory, but I bet they'd be awesome reading.

Kernel vulnerabilities: old or new?

Posted Oct 21, 2010 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]

Strongly agreed. The more people learn about how to apply Spengler-style paranoia to the code they themselves write, the better our security gets.

Spender writing for LWN.net

Posted Oct 22, 2010 19:57 UTC (Fri) by promotion-account (guest, #70778) [Link]

Completely agree. All these released exploits (and the heated discussions about them) made me think more seriously about security of the code I write.

Kernel vulnerabilities: old or new?

Posted Oct 25, 2010 9:01 UTC (Mon) by dany (subscriber, #18902) [Link]

Yes, Brad's own security articles would be for LWN fresh water (or complete shock therapy :)

Rate of introduction vs removal

Posted Oct 25, 2010 21:28 UTC (Mon) by man_ls (guest, #15091) [Link]

For starters, how about concocting a different metric which shows what our esteemed editor was trying to discover here: what is the rate of introduction and removal of security holes in the kernel. His own approach for this article was arguably thin. I am sure spender must have a couple of ideas.

Kernel vulnerabilities: old or new?

Posted Oct 26, 2010 21:38 UTC (Tue) by spender (subscriber, #23067) [Link]

For future reference (since this post seems to be linked to from elsewhere) the CVEs I mentioned in the previous post that Dan Rosenberg was still waiting to have allocated were finally provided yesterday on oss-sec:
http://seclists.org/oss-sec/2010/q4/78

It's 12 new CVEs, bringing the count to 92, 15% higher, from just one guy with grep and a few days in his spare time (and some of the CVEs cover multiple vulnerabilities).

-Brad


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds